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Abstract 

Event correlation is 
mandatory in any enterprise 
management platform. It has 
nothing to do with filtering out 
events. Namely, it has everything to 
do with relationships between events 
over a period of time. 

In, " A Conceptual framework 
for Network Management Event 
Correlation and Filtering Systems [la], " 
M. Hasan, B. Sugia and R. 
Viswanathan claim that it is 
impossible to compare the relative 
power of event correlation engines 
or even analyze them for their 
respective properties. 

In this paper, I give a formal 
definition of the conceptual 
constructs, and show how they are 
abstracted to the upper-level 
paradigms. I study two of the most 
popular event correlation engines (as 
illustrative examples), and show that 



it is theoretically possible to move 
from one to the other without any ill 
effects. 

In 'Appendix A,' I compare a 
third, additional paradigm. I shed 
light on its weaknesses relative to the 
other paradigms described in the 
body of this text. 

In 'Appendix B,' we look at a 
totally different way to do event 
correlation. I shed light on its 
weaknesses relative to the preferred 
way, as described in the body of this 
text. 
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1 INTRODUCTION 

The best way to do event 
correlation is via real-time, 
computational correlation. Event 
driven, it provides faster 
performance, greater architectural 
flexibility, and lower bandwidth 
needs. Two of the most popular 
paradigms are "state diagrams" and 
"electronic circuits." However, they 
accomplish the end result in very 
different (but related) ways. 

Network management events 
can take many forms. Messages can 
arrive to the management station as 
plain ASCII, SNMP trap, or in the 
case of HP Open View[lb] 
Operations, opcmessage(s). In fact, 
these three examples represent at 
least three distinct languages. In the 
case of ASCII or MIB, multiple 
formal definitions can be defined. 

The management station's 
role in correlation is to translate each 



of these languages into a common 
internal language, so that it can 
correlate non-homogenous events 
across the enterprise. 

Open Nervecenter[2a], the 
oldest network management event 
correlator, uses a paradigm of state 
diagrams, called models. HP Open 
View Event Correlation Services 
(ECS), designer and run-time 
engines, use the paradigm of serial 
and parallel circuits. This paper will 
show (proof by example) that 
through closure under concatenation 
it is possible to move from 
Nervecenter 'models' to ECS 
'circuits/ should someone determine 
that it is practical to do so. Or, write 
a program to do so. This shows that 
there is no theoretical loss of 
functionality moving from one 
management platform to the other, 
despite cost differences or other 
motivating factors. 
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2 LANGUAGE DESCRIPTION 
AND THE EXTENSIBLE 
PARADIGM 

Languages are described in 
one of two ways. For example, Perl 
describes languages by building up 
expressions using regular 
operations, called Regular 
Expressions. Nervecenter is built on 
Perl. We will show that Regular 
Expressions in Perl can be 
represented by a particular kind of 
non-deterministic finite automata 
(NFA). And, Nervecenter extends 
that paradigm to the 'model.' 

A more powerful way of 
describing languages is by defining a 
grammar [2b]. ECS relies on 
grammar definitions to do event 
correlation. An ECS grammar can be 
anything from a well-formed, 
standardized opcmessage; to an 
SNMP ASN.l trap definition; to a 
grammar describing a custom ASCII 
language, like found in a log file. We 
will show that these context-free 
grammars can easily be expressed as 
truth tables, and HP extends this 
paradigm to the 'circuit.' 

3 NON-DETERMINISTIC 
FINITE AUTOMATA 

As we mentioned already. 
Regular Expressions in Nervecenter 



can be represented by a particular 
kind of non-deterministic finite 
automata (NFA). And, since the 
concept of NFA also expresses itself 
in the 'model' paradigm, it is useful 
to come up with a formal definition 
[3] so we can talk about them. 

NFA is a 5-tuple {QjlljS ,qQ,F} where: 

1. Q is a finite set of states 

2. E is a finite alphabet 

3. S:Qx ^ P(Q) is the transition function, where 

for any alphabet £ we write 2^ to be 2 u {e}. If a 

state with an e symbol on an existing arrow is 
encountered, without reading any input, the 
automaton splits into multiple copies, one 
following each of the existing s-labeled arrows and 
one staying at the current state. 

4. 9o — Q state 

5. F c Q is the set of accept states 

Generalized non-deterministic 
finite automata (GNFA) are simply 
NFA wherein the transition arrows 
may have any regular expression as 
labels, instead of only members of 
the alphabet or e. This 
representation describes the regular 
languages built up by expressions 
using regular operations. And, 
regular languages are called regular 
if some finite state automaton (FSA) 
recognizes it. 
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4 DETERMINISTIC FINITE 
AUTOMATA 

By definition, every GNFA 
can be represented by a NFA. 
Furthermore, every NFA can be 
represented by a deterministic finite 
state automaton (DFA). All models 
appear deterministic in Nervecenter. 
So, one may ask when a model 
becomes non-deterministic. 

A model becomes non- 
deterministic when it instantiates a 
new model in transition on input a 
from some state X. In effect, one 
state transitions to two distinct states 
on Jnput a. From the standpoint of 
the original model, the destination 
state in the new model (^i) is 
neither a start state or an accept 
state; only an extension of the 
original model awaiting input of the 
next event from an input stream. 

Bear in mind, unlike from the 
standpoint of a circuit, the model can 
generate its own input via a 
'FireTrigger' event. In Nervecenter, 
these actions occur on transition. It 
is helpful to look inside of the action 
blocks for each transition to see if 
these situations occur. 

Step 1 in converting from 
'model' to 'circuit' is moving from 
NFA to DFA. [4a] [4b] (If a model 



does not instantiate a new model, 
then you can skip this step.) 

Let: 

. \etDFA'M'= {Q\T,d\q,\F'} 
• let NFA 'N' = {Q,^,S,q„F} 

1) e' = P(Q)cQ 

Every state of 'M' is a set of 
states of 'N.' If k is the number of 
states in 'N,' it has 2* sub-sets of 
states. (Each sub-set corresponds to 
1 of the possibilities that 'M' must 
remember. So, 'M' will have 2* 
states.) 

2) for ReQ' and aeE, let 
d\R,a) = {q eQ\q eS(r,a) for some 
reRj. If R is a state of 'M,' it is also a 
set of states of 'N.' 

S\R,a) = YS{r,a) 

when 'M' reads a in R, R may go to a 
set of states. 

The notation Y^(^5«) means: 

the union of the sets 5(r,a) for each 
possible r in jR. 

3) q\ = {go} 

'M' starts in the state 
corresponding to the collection 
containing just the start state of 'N.' 
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4) e {i? e \R contains an accept 
state of N}. 'M' accepts if one of the 
possible states that 'N' could be in at 
this point is an accept state. 

5) 8 arrows [4c] 

For any state R of 'M/ we 
define E(R) to be the collection of 
states that can be reached from R by 
going along 8 arrows, including the 
members of R themselves. Formally, 
forRcQlet: E(R) = {qlq can be 
reached from R by traveling down 0 
or more 8 arrows. 

Modify the transition function of 'M' 
to place additional fingers on all 
states that can be reached by going 
along 8 arrow after every step. 
Replacing 5(r,a) by E(5(r,a)) achieves 
this effect. Thus: 

5\R,a) = {q^Q\qGE{5{r,a)), 

for some reR} 

6. Modify the start state of 'M' to 
move fingers initially to all possible 
states that can be reached from start 
state of 'N' along the s arrows. 
Changing to be E({?o}) achieves 
this effect. 

5 CONTEXT FREE 

GRAMMAR (CFG) AND 

THE EXTENSIBLE PARADIGM 

(continued on next column) 



A grammar is a collection of 
substitution rules, called 
productions. Comprised of variables 
and terminals, one variable is the 
start variable, and occurs on the left- 
hand side of the topmost rule. 
Sequences of substitutions to 
generate strings, called derivations, 
constitute the language of the 
grammar. 

CFG(s) describe context free 
languages (CFL), including features 
that have recursive structures. And, 
many are a union of simpler CFG(s). 
In fact, it is worth mentioning that 
the class of regular languages is 
closed under union, concatenation 
and *. CFL are a superset of regular 
languages. So, the class of CFL is 
also closed under union, 
concatenation and *. (The star 
operation is a unary operation 
instead of a binary operation. It 
works by attaching any number 
(including 0) of strings in 'A' 
together to get a string in the new 
language. The empty string is 
always a member of 'A.') We see 
signatures of this closure in ECS 
Designer. For example, the union of 
simpler 'circuits' (saved as libraries) 
can build new 'circuits.' 

Since the concept of CFG 
expresses itself in the 'circuit' 
paradigm within ECS, it is useful to 
come up with a formal definition 
[5a] so we can talk about them. 
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CFG is a 4-tuple (V,i;,R,S) where: 

1) V=£imte set, called variables 

2) Z=finite set, disjoint from V, called terminals 

3) R=finite set of rules (variable, strings of variables, 
terminals and S) 

4) S=start symbol (left-hand side of first rule) 

For an example CFG, take a 
look at the simple language of all 
strings of properly nested 
parentheses[5b]: 

L(G) = ( {S} , {(,)} , {S^(S) I SS I s} , S ) 

We first constructed a DFA 
for our regular language, so 
constructing a CFG is easy. Step 2 
in moving from 'model' to 'circuit' is 
the process of that construction [6]. 

1) make a variable Rt for each state 

2) add the rule R. ^a^/ to the CFG 
if 3(q^,a) = q J is a transition in 
the DFA where ^, & are states 
and a is an input symbol 

3) add the rule ^, ^ 8 if ^, is an 
accept state of the DFA 

4) make the start variable of the 
grammar where is the start 
state 

5) many CFG would need to 
"remember" for example: 

{u,v} = {0"r I « > 0} becomes 
the rule R^{uRv} such that 
the portion containing u's 
corresponds to the portion 
containing v's. 

6) In more complex languages, 
strings may contain certain 
structures that 



appear recursively as part of 
different (or the same) structures. 
Namely, any time a terminal 
appears an entire parenthesized 
expression might appear 
recursively instead. To achieve 
this effect, place the variable 
symbol generating the structure 
in the location of the rules 
corresponding to where that 
structure may recursively appear. 

6 CFG TO CHOMSKY 
NORMAL FORM (CNF) 

CFG is in Chomsky Normal 
Form (CNF) if every rule is of the 
form [7]: 

A^BC 
A^a 

Where 'a' is a terminal; A,B,C 
are any variables (B,C can not be the 
start variable) and we permit S^s, 
where 'S' is the start variable. 

The process of converting 
from BNF to CNF is Step 3 of our 
move from 'model' to 'circuit." That 
process is as follows [8]: 

1) eliminate a s rules of the form 

A^8 

2) eliminate all unit rules of the 
form A^B 

3) convert remaining rules to proper 
form 

a. ^,V,= (OR, AND,= 
only ) 

b. push ~ ("not") down to 
each proposition 

c. distribute OR over AND 
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7 TRUTH TABLES 



CNF clauses can be evaluated 
using truth tables. This is Step 4 in 
our process going from 'model' to 
'circuit.' 

As a simple example, let's 
consider the fact that, "a node is 
down, unless it is up." Expressed as 
predicates, we could say, "A, unless 
B." Using the proposition rules of 
the Predicate Calculus, "that which 
follows unless is negated and moved 
to the antecedent of an implication": 
~B^A 

Converting to CNF, this is expressed 
as: {A®B)+B 

ABi{A®B) + B 

0 I 0 

1 I B 

10 I A 

11 I B 

* As an aside, it is interesting to note 
that the running time is: 0 ( 2^* ) 



8 THE CIRCUIT 



Finally, we can express our CNF clause as an ECS 'circuit.' And that is Step 5 : 

{a®b)+b 



B 



1 


1 




] 


A 












< 




►i 


1 



* HP may represent the node as a different 
symbol. 

The use of the "unless" circuit in our example was not a trivial one. 
Indeed, "unless" is used more frequently in the design of ECS circuits than any 
other node. The reason for this should be obvious to the reader at this point. The 
unless circuit is an atom. 

(a®b)+b 




9 PRACTICAL EXAMPLE 

Consider the following Nervecenter 
model. The purpose of this model is 
to monitor the temperature of Cisco 
routers. If a trap shows a problem, 
the alarm transitions to the 
TempWaming state and sends a 
warning inform to the management 



I 

platform. In 30 minutes, we then 
poll the temperature status again for 
verification. If there is a continued 
problem, Nervecenter sends a critical 
inform to the management platform. 
The poll repeats itself every 30 
minutes. Once the problem has been 
corrected, the alarm returns to 
ground. 
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rZ VERITAS NerveCenter client -[RNMSOStAlarmDennition : 15 Temperatur 






0 Client Server Admin Window View Help 






^1 1:1 ||rnmso3 4:^11 












Name | ' T'_ 1" ■?! 



Property |i:i;r.:iEn.:M.:inT^TM[irjJ Scope [NodT 



1 Enabled 
On 


C OH 1 


V Clear Tiiggeis foi Reset To Ground or Off 


State List 




State 


1 Severity 


1 


TempWarning 


Minor 




TempCritical 


Critical 




Ground 


Normal 





From State 


1 To State 


1 Trigger I 


iTeriipCntical 


TempCritical 




TempCritical 


Ground 


CsTempOk 


TempWarning 


TempCritical 


CsTempCritical 


TempWarning 


Ground 


CsTempOk 


Ground 


TempWarning 


CsTempWar, , , 



iNUH r 



By viewing the "Notes" for any model, you can obtain a list of the states. 
Here is a list of the states in our example model. We number the states. 



STATES 

1. Ground 

2. TempWarning 

3. TempCritical 



TRANSITIONS 



- Warning Event (W) 

- OK Event (O) 

- Critical Event (C) 



If on input 'Cl' a model 
instantiates a new model on 
transition from state X ,then we 
need to incorporate the new model. 
Check the 'FireTrigger' statements 
where the name of the trigger is not 
part of the original model, but exists 
as a transition in another model. 
Draw a second arrow from state X 
such that it extends to the 
destination state (^J of the 



incorporated model. Do not treat 
(^1 ) as a start state or an accept state 
from the standpoint of your original 
model. 

If your model does not 
reference other models on any 
transition arrow, you may skip to 
section 10.3. But, as an exercise, we 
will treat our sample Nervecenter 
model as a NFA. It is not, but the 
process would be the same if it 
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were. By working through the 
process together, it serves an 
example of how to go from NFA to 
DFA. Since our sample model is not 
a NFA, it will be returned to us at the 
end of the exercise. 

10.1 The number of states in the 
sample Nervecenter model is 3. 
Therefore, our DFA "D" will 
have 8 states. Every state in the 
model is also in D. Thus D's 
state set is: 

{0,{1},{2},{3},{1,2},{1,3},{2,3},{1,2,3}} 

The new start state E({1}) is 
equal to the set of states that are 
reachable from 1 by traveling along e 
arrows, plus 1 itself. So, E({1})={1}. 

The new accept states are 
those containing the model's accept 
state. By convention we will use the 
ground state (state 1); thus {{1},{1,2}, 
{1,3},{1,2,3}}. 

Finally, we determine D's 
transition function. Each of D's 
states goes to one place on input 
'Warning,' one place on input 
'Critical,' and one place on input 
'OK.' 

• In D, state {2} goes to {3} on 
input 'Critical' because state 2 
goes to state 3 in the model on 
input 'Critical' and we can't 



go further from 2 or 3 along e 
arrows. 

• In D, state {2} goes to {1} on 
input 'OK' because state 2 
goes to state 1 in the model on 
input 'OK' and we can't go 
further from 2 or 3 along 8 
arrows. 

• In D, state {3} goes to {3} on 
input 'Critical' because state 3 
goes to state 3 in the model on 
input 'Critical' and we can't 
go further from 3 along e 
arrows. 

• In D, state {3} goes to {1} on 
input 'OK' because state 3 
goes to state 1 in the model on 
input 'OK' and we can't go 
further from 3 or 1 along e 
arrows. 

• In D, state {1} goes to {2} on 
input 'Warning' because state 
1 goes to state 2 in the model 
on input 'Warning' and we 
can't go further from 1 or 2 
along s arrows. 

• In D, state {1} goes to 0 on 
input "OK" because no 
arrows exit it. 

• In D, state {1} goes to 0 on 
input "Critical" because no 
arrows exit it. 

• In D, state {2} goes to 0 on 
input "Warning" because no 
arrows exit it. 

• In D, state {3} goes to 0 on 
input "Warning" because no 
arrows exit it. 
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In D, state {1,2} on "Warning" 
goes to state {2} because 1 
goes to 2 on "Warning" in the 
model, and 2 points to no 
states with "Warning" arrows. 
Neither points anywhere with 
8 arrows. 

In D, state {1,2} on "OK" goes 
to state {1} because 2 goes to 1 
on "OK" in the model, and 1 
points to no states with "OK" 
arrows. Neither points 
anywhere with 8 arrows. 
In D, state {1,2} on "Critical" 
goes to state {3} because 2 
goes to 3 on "Critical" in the 
model, and 1 points to no 
states with "Critical" arrows. 
Neither points anywhere with 
8 arrows. 

In D, state {1,3} on "OK" goes 
to state {1} because 3 goes to 1 
on "OK" in the model, and 1 
points to no states with "OK" 
arrows. Neither points 
anywhere with 8 arrows. 
In D, state {1,3} on "Warning" 
goes to state {2} because 1 
goes to 2 on "Warning" in the 
model, and 3 points to no 
states with "Warning" arrows. 
Neither points anywhere with 
8 arrows. 

In D, state {1,3} on "Critical" 
goes to state {3} because 3 
goes to 3 on "Critical" in the 
model, and 1 points to no 
states with "Critical" arrows. 



Neither points anywhere with 
8 arrows. 

• In D, state {2,3} on "OK" goes 
to state {1} because 2 & 3 goes 
to 1 on "OK" in the model, 
and 1 points to no states with 
"OK" arrows. Neither points 
anywhere with 8 arrows. 

• In D, state {2,3} goes to 0 on 
input "Warning" because no 
arrows exit it. 

• In D, state {2,3} on "Critical" 
goes to state {3} because 2 & 3 
goes to 3 on "Critical" in the 
model. Neither points 
anywhere with 8 arrows. 

• In D, state {1,2,3} on "OK" 
goes to state {1} because 2 & 3 
goes to 1 on "OK" in the 
model, and 1 points to no 
states with "OK" arrows. 
Neither points anywhere with 
8 arrows. 

• In D, state {1,2,3} on 
"Warning" goes to state {2} 
because 1 goes to 2 on 
"Warning" in the model, and 
1 nor 3 points to no states 
with "Warning" arrows. 
Neither points anywhere with 
8 arrows. 

• In D, state {1,2,3} on "Critical" 
goes to state {3} because 2 & 3 
goes to 3 on "Critical" in the 
model, and 1 points to no 
states with "Critical" arrows. 
Neither points anywhere with 
8 arrows. 
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The result of applying the steps to go from NFA to DFA. 




10.2 We simplify the above machine by noting that no arrows point at: 
{1,2}, {1,3}, {2,3}, {1,2,3}. 



10.3 We next make a CFG to describe the DFA. 

s 

S ^ Rl 

Rl ^ W1R2 

R2 ^ 02R1 

R2 ^ C2R3 

R3 ^ 03R1 

R3 ^ C3R3 

Rl 

R2 

R3 

RO 

10.4 We next convert the CFG to CNF. 

W1R2 

02R1 

C2R3 

03R1 

CR3 



10.5 We next construct a truth table. 



Wl 


C2 


02 


C3 


03 


C2©02 


C3®03 


(WlffiA)+Wl 


C2ffiB+C2 


(C3®03)C3 


0 


0 


0 


0 


0 












0 


0 


0 


0 


1 




03 




03 


03 


0 


0 


0 


1 


0 




C3 




C3 


C3 


0 


0 


0 


1 


1 










C3 


0 


0 


1 


0 


0 


02 




02 






0 


0 


1 


0 


1 


02 


03 


02 


03 


03 


0 


0 


1 


1 


0 


02 


C3 


02 


C3 


C3 


0 


0 


1 


1 


1 


02 




02 




C3 


0 


1 


0 


0 


0 


C2 




C2 


C2 




0 


1 


0 


0 


1 


C2 


03 


C2 


C2 


03 


0 


1 


0 


1 


0 


C2 


C3 


C2 


C2 


C3 


0 


1 


0 


1 


1 


C2 




C2 


C2 


C3 


0 


1 


1 


0 


0 








C2 




0 


1 


1 


0 


1 




03 




C2 


03 


0 


1 


1 


1 


0 




C3 




C2 


C3 


0 


1 


1 


1 


1 








C2 


C3 


1 


0 


0 


0 


0 






W 






1 


0 


0 


0 


1 




03 


w 


03 


03 


1 


0 


0 


1 


0 




C3 


w 


C3 


C3 


1 


0 


0 


1 


1 






w 




C3 


1 


0 


1 


0 


0 


02 




w 






1 


0 


1 


0 


1 


02 


03 


w 


03 


03 


I 


u 


1 


1 


u 


LJz 




w 


C3 


C3 


1 


0 


1 


1 


1 


02 




w 




C3 


1 


1 


0 


0 


0 


C2 




w 


C2 




1 


1 


0 


0 


1 


C2 


03 


w 


C2 


03 


1 


1 


0 


1 


0 


C2 


C3 


w 


C2 


C3 


1 


1 


0 


1 


1 


C2 




w 


C2 


C3 


1 


1 


1 


0 


0 






w 


C2 




1 


1 


1 


0 


1 




03 


w 


C2 


03 


1 


1 


1 


1 


0 




C3 


w 


C2 


C3 


1 


1 


1 


1 


1 






w 


C2 


C3 



"W unless (C2 unless (C3 unless 03)) 
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10.6 THE CIRCUIT 

W unless (C2 unless (C3 unless 03)) 




10.6b CIRCUIT KEY 

t=30, the time delay for the unless circuit in ECS 
exclusive OR" 
OR" 



11 CONCLUSION 

Given that the class of ECS 
circuits is closed under 
concatenation, larger circuits can be 
constructed using smaller ones. We 
have shown that it is possible to 
express a basic Nervecenter model as 



a simple ECS circuit. So, it is 
possible to construct complex ECS 
circuits representing large 
Nervecenter models. In summary, to 
do so involves a series of well 
defined translation operations: 
Model^NFA^DFA^CFG^CNF^ 
Truth Table ^Circuit 
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